jonsson.eu

EMAILFORM

The EMAILFORM script, written in PHP, generates XHTML code for
a form delivering simple messages as emails. In addition to merely sending
email messages, the script also performs certain checks to determine whether
the message is to be considered as spam or not, and in the footer of the sent
emails, a link for looking up the sender's IP address is provided.
The EMAILFORM script forms the server-side engine for the messaging form which
may be found at jonsson.eu.

Summary of the script

The parameters supplied via the fields of the form are posted by the script
to itself, in the second run performing tasks as spam checking etc., hence
providing a self-consistent and simple way of handling checking of user input
and guidance messages. The script employs either an intrinsic sendmail
functionality, such as in Apache servers shipped natively with Apple's OS X,
or the SMTP mail instance of
the PEAR [1] extension of PHP.
Currently, the EMAILFORM script supports dynamic switching between two
languages: English (default) and Swedish. In order to provide headers,
labels or help messages in other languages, a few easily identifiable
strings in the code need to be translated into the desired language.

In addition to merely sending email messages, the script also performs
checks to determine whether the message is to be considered as spam or
not, and in the footer of the sent emails, a link for looking up the
sender's IP address in the RIPE.net whois server is provided. Typically,
this feature is useful for identifying addresses behind malicious intrusion
or spam attempts.

Before sending any message, the EMAILFORM script constructs a simple test form
which the user needs to pass, in order to separate real user from web crawlers
and robots. This way the spam is considerably reduced, if not to say entirely
eliminated.

The (X)HTML code generated by the EMAILFORM script conforms to the XHTML 1.0
Strict specification. According to the XHTML 1.0 Strict document type
definition (DTD) no <input> elements are allowed as direct
descendants within <form> block, for some strange reason.
Therefore, any <input> block is here wrapped up within a
<p> (paragraph) block, in spite of that some of the
<input> being hidden. The wrapping within <p>
blocks is here a bit odd, as the <input> blocks clearly have
a place within <form>, while the <input> blocks
hardly could be considered as paragraphs. The only reason for this rather
strange construction, as far as I have found it, is to make the code pass
the XHTML 1.0 Strict validation, which it
clearly does.

Source files

Settings

In the emailform($lang) function, there are a few settings which need to
be modified in order to configure EMAILFORM to operate properly on your
particular web server. These parameters determine the way EMAILFORM reponds
to user input and how it delivers the messages.

First of all, define which fields to display at all. Any of these boolean
switches which take the value false will prohibit the respective field
to be displayed. As for my personal opinion, I think that the "Subject"
field is rather silly, but some users may consider it useful anyway, since
it is a quite revealing indicator of any spam that may have slipped through
the check.

$DO_DISPLAY_SENDERS_NAME_FIELD

A Boolean parameter that determines whether to display the "Your name:" field
or not. Recommended setting: true.

$DO_DISPLAY_SENDERS_EMAIL_FIELD

A Boolean parameter that determines whether to display the "Your email:" field
or not. Recommended setting: true.

$DO_DISPLAY_SUBJECT_FIELD

A Boolean parameter that determines whether to display the "Subject:" field
or not. Recommended setting: false. (The subject is rather clear anyway in
the usually short messages delivered via web forms.)

Next, the following parameters determine the required fields of the form,
to which additional checks will be applied before any email is sent.
In other words, these parameters determine which of the fields that
will be considered as essential information to allow the message to be
delivered. Again, my personal opinion is that the senders email address
always should be required, but that empty name fields or empty message
bodies should be allowed.
Each field can be individually enabled or disabled as required.

Notice: Any field that has been disabled for display, by any of the above
set parameters, will be unaffected by the corresponding "*_*_REQUIRED"-switches
below, as the "required-field"-check is applied only to those fields which
actually are displayed - neat and simple.

$SENDER_NAME_REQUIRED

A Boolean parameter that determines whether anyone using the email form
should be required to supply his/her name in the assigned field.
Recommended setting: false.

$SENDER_EMAIL_REQUIRED

A Boolean parameter that determines whether anyone using the email form
should be required to supply his/her email address (return address) in the
assigned field. Recommended setting: true.

$SUBJECT_REQUIRED

A Boolean parameter that determines whether anyone using the email form
should be required to supply a subject for the message in the assigned field.
Recommended setting: false.

$MESSAGE_REQUIRED

A Boolean parameter that determines whether anyone using the email form
should be required to supply a non-empty message in the assigned field.
Recommended setting: false.

$RECIPIENT

The email address of recipient to which the messages are to be sent. Typically
this string is of the form "My Name <me@mydomain.com>".
Otherwise, just a plain email address of the form "me@mydomain.com"
will do fine.
Usually, the recipient address is the one you check as your regular address.
Notice that this address is "safe" in the sense that it will never be
displayed or revealed to the outside world, as it always is hidden by the
PHP server.
(This is, of course, one of the major reasons why one would like to have an
email form in the first place, rather than an explicitly displayed email
address which immediately will be taken hostage by spam robots visiting the
page.) See further parameters below configuring the delivering agent.

$NOTIFY_ON_SPAM_ATTEMPTS

The boolean $NOTIFY_ON_SPAM_ATTEMPTS switch determines whether
EMAILFORM should inform the mail recipient (as set by the previous
$RECIPIENT parameter) or not, on that a spam attempt has been
detected.
Set $NOTIFY_ON_SPAM_ATTEMPTS to 'true' to notify the recipient on
spam attempts.
The default value for this parameter is "false", as I personally do not care
how many attempts per day that were caught.
However, notice that regardless of whether the recipient is informed or not,
the person or agent sending the spam will never be notified on that the mail
has been detected as spam. From his/her/its own perspective, all will just
look as if the message has been delivered.
The useful thing with this behaviour of the EMAILFORM script is that selective
evolution then never reaches the spam deliverers, as no feedback on success
or failure will be supplied.

$PASSCODE_SEED

As a final check before submitting any email, the EMAILFORM script will
generate (X)HTML code for a simple addition test to be passed by the user.
This test will automatically construct the two terms to be added from the
$PASSCODE_SEED, being a number which may be chosen arbitrarily.

$USE_PEAR_SMTP_SENDMAIL

The boolean $USE_PEAR_SMTP_SENDMAIL switch determines whether to use
the PEAR::Mail SMTP agent for delivering mail or not. If set to "false",
the EMAILFORM script will assume that a local sendmail agent has been
properly set up instead. My recommendation is to use PEAR::Mail whenever
possible.

If $USE_PEAR_SMTP_SENDMAIL is set to 'true', then we also need to set
the following parameters, to be supplied to the PEAR mail agent. (In case you
wonder about how the PEAR mail agent delivers email, or if you simply wish
to download the latest PEAR::Mail agent, please visit the PEAR repository
at
http://pear.php.net/package/Mail.) Otherwise, if simply using a native
sendmail agent, the following parameters can be safely ignored.

$PEAR_SMTP_SENDMAIL_HOST

The host to use when sending SMTP email. This is typically a server of the
form "mail.some.server.com"

$PEAR_SMTP_SENDMAIL_AUTHENTICATION

A Boolean parameter, which if set to 'true' will provide a user ID and
password to the SMTP agent when sending the email (as required by some
Internet Service Providers).

$PEAR_SMTP_SENDMAIL_USERNAME

The user name (ID) to use when authenticating the send request at the SMTP
agent.

$PEAR_SMTP_SENDMAIL_PASSWORD

The password to use when authenticating the send request at the SMTP agent.

Finally, a setup which you (unfortunately) most likely will have to modify
over time is how EMAILFORM should be triggered on spam attempts. For this
purpose, there are two arrays of strings which contain words which should
cause a message to be considered as spam if any specific words appear in
the message text (determined by the array $SPAM_TRIGGERS_IN_MESSAGE)
and in the address of the sender (determined by the array
$SPAM_TRIGGERS_IN_ADDRESS).

IMPORTANT NOTICE: By disabling the requirement on the email address
to be specified (that is to say, with $required["email"]=false;),
any check on the correctness or validity of the email field is also
disabled. This leaves the field open for malicious attempts of mail
spamming by the well-known "CC: " injection approach in the text
supplied in the email field, which could be exploited for unsolicited
en-masse email submissions. Hence it is STRONGLY RECOMMENDED that you
below keep $required["email"]=true, just to be on the safe side.
When using PEAR::Mail as the email agent in the EMAILFORM script, a check
will indeed always be performed for any malicious attempts of "CC: " or
"BCC: " injection, but I give no warranty that all possible security
holes are covered.

Example of usage

In order to invoke EMAILFORM for the generation of an email form (provided that
the proper settings have been included in emailform.php, simply add
the following block to a (X)HTML-generating PHP page:

<?php
include "emailform.php";
emailform("en");
?>

The user-end interface to the routines included in the group of scripts
of the EMAILFORM is the function emailform ($lang), listed at the very end
of emailform.php. The $lang parameter input to this function specifies
which language to use for headers, help messages etc. Currently only two
choices are valid: $lang="en" (English) or $lang="sv" (Swedish).

Following the above specifications on how to configure EMAILFORM, an example
configuration, as appearing in the beginning of the emailform.php file, might
be something like:

$DO_DISPLAY_SENDERS_NAME_FIELD=true; // Display "Your name:" field
$DO_DISPLAY_SENDERS_EMAIL_FIELD=true; // Display "Your email:" field
$DO_DISPLAY_SUBJECT_FIELD=false; // Don't display "Subject:" field
$SENDER_NAME_REQUIRED=false; // Sender name is not required
$SENDER_EMAIL_REQUIRED=true; // Sender email address is required
$SUBJECT_REQUIRED=false; // Ignored, as "Subject:" not displayed
$MESSAGE_REQUIRED=false; // Empty message bodies will be allowed
$RECIPIENT="Your Name <me@mydomain.com>"; // Address of recipient
$NOTIFY_ON_SPAM_ATTEMPTS=false; // Do not notify on spam attempts
$USE_PEAR_SMTP_SENDMAIL=true; // Yes, we are using PEAR::Mail agent
//
// As $USE_PEAR_SMTP_SENDMAIL is set to 'true' above, we also need to
// set the following parameters, to be supplied to the PEAR mail agent.
//
$PEAR_SMTP_SENDMAIL_HOST="mail.your.mail.server.com";
$PEAR_SMTP_SENDMAIL_AUTHENTICATION=true;
$PEAR_SMTP_SENDMAIL_USERNAME="visitor@yourdomain.com";
$PEAR_SMTP_SENDMAIL_PASSWORD="password_goes_here";
//
// Define the seed to be used in generation of the passcode verification of
// the user.
//
$PASSCODE_SEED=1912;